Current source for cryptographic processor

ABSTRACT

To provide increased security against differential power analysis attacks, a data processing device is provided with a current converter that draws current from an external supply and cyclically apportions drawn current between a charge storage device and a processor such that the drawn current varies independently of the instantaneous power demand of the processor. The data processing device includes: a processor; a charge storage device coupled to the processor; and a current source for supplying the processor with operating current, and adapted to vary its output current independently of the instantaneous power demand of the processor.

The present invention relates to cryptographic devices such as thosetypically installed in smart cards and other devices, which may havevulnerability to power analysis attacks to obtain information therefrom.

Many cryptographic devices are implemented using microprocessors andassociated logic on devices such as smart cards. It is often necessaryto ensure that important data stored on smart cards, such ascryptographic keys and the like, is kept secure. A number of poweranalysis techniques have been published that facilitate the obtaining ofdata from the smart card that would otherwise, in the course of normalinput and output operations, be securely encrypted. In particular,analysis of the power consumption of the logic performing an encryptionor decryption operation may be used to establish the round keys used inthe encryption or decryption operation.

Such techniques are discussed, for example, in Kocher et al:“Differential Power Analysis”, www.cryptography.com and Messerges et al:“Investigations of Power analysis Attacks on Smartcards”, Proceedings ofUSENIX Workshop on Smartcard Technology, May 1999, pp. 151-161. Thepower consumption of a smart card is conventionally strongly related tothe number of bit transitions occurring at each clock pulse. Statisticalanalysis of the power dissipation of the smart card during successivecycles of a cryptographic algorithm has been shown to yield sufficientinformation to obtain the cryptographic keys in use.

Differential power analysis attacks rely on correlation between thepower dissipation traces and the data processing operations of theprocessor logic and the ability to average many such traces over time.

It is an object of the present invention to provide a power supply andmode of operation of a cryptographic processor that improves thesecurity of cryptographic processors against power analysis attacks.

According to one aspect, the present invention provides a dataprocessing device including:

a processor,

a charge storage device coupled to the processor,

a current source for supplying the processor with operating current, andadapted to vary its output current independently of the instantaneouspower demand of the processor.

According to another aspect, the present invention provides a method ofoperating a data processing device, comprising the steps of:

drawing current from an external supply; and

cyclically apportioning drawn current between a charge storage deviceand a processor within the data processing device such that the drawncurrent varies independently of the instantaneous power demand of theprocessor.

Embodiments of the present invention will now be described by way ofexample and with reference to the accompanying drawings in which:

FIG. 1 illustrates a power supply for a processor according to apreferred embodiment of the invention;

FIG. 2 shows a schematic diagram illustrating the various functionalblocks of the power supply of FIG. 1; and

FIG. 3 is a graph illustrating the current switching control of apreferred power supply.

With reference to FIG. 1, various possible embodiments of a DC-DCconverting power supply for a cryptographic processor are now described.

A current source 10 draws current from a supply voltage V_(CC) andsupplies a current I_(DD) to a processor 11. The processor 11 may be anyform of data processing logic circuitry. A decoupling capacitor Creceives current from the current source 10 when the current supplied bythe current source 10 exceeds the requirements of the processor 11, andsupplies current to the processor when the current supplied by thecurrent source falls short of the requirements of the processor. Thefunction of capacitor C could also be implemented by any suitablealternative charge storage mechanism.

In a first embodiment, the current source 10 comprises a first currentsource 12 which supplies substantially constant current I_(CC) at twodifferent current levels. A first one of these current levels is higherthan an average demand of the processor and the second one of thesecurrent levels is lower than an average demand of the processor 11.Switching between the current levels occurs on a periodic or aperiodicbasis as will be illustrated later.

During periods in which the first one of the current levels is beingdelivered, the voltage V_(DD) supplied to the processor will rise, asexcess current is stored in the capacitor C. During periods in which thesecond one of the current levels is being delivered, the voltage V_(DD)will fall, as the shortfall in current is supplied (discharged) fromcapacitor C.

The result is a saw tooth voltage V_(DD). Over a period of time, theaverage current I_(CC) supplied by the current source 10 will be equalto the average current demand I_(DD) of the processor. However, it willbe noted that the instantaneous values of current I_(CC) supplied by thecurrent source 12 very rarely match the instantaneous values of currentdemand I_(DD) of the processor 11.

The switching of the current levels of the current source 12 isdetermined independently of the instantaneous activities of theprocessor, so that the frequency and phase of the saw tooth voltageV_(DD) do not reflect the immediate activities of the processor. Inother words, frequency and phase of the voltage V_(DD) are not linked toan internal clock frequency of the processor, nor to data manipulationoperations being carried out by the processor 11.

The control of the current source 12 typically will also include somehysteresis, which is advantageous in maintaining a lack of correlationbetween the processor activity and the frequency and phase of the sawtooth voltage V_(DD).

The processor 11 is controlled by an internal oscillator clock of whichthe frequency is voltage dependent. Typically, the lower the voltagesupply V_(DD) to the processor, the lower the clock frequency of theprocessor. Conversely, the higher the voltage supply V_(DD) to theprocessor, the higher the clock frequency of the processor. This meansthat the duration of any procedure performed by the processor (forexample, a RSA calculation or a DES/AES encryption/decryption operation)will depend upon the level of the supply voltage V_(DD).

In a differential power analysis attack, it is necessary to align manysuccessive power traces so that corresponding processing operations arealigned in the time axis and can be averaged. This becomes very muchmore difficult when the frequency of operation of the processor iscontinually varying, because the effective time base of successive powertraces is continually changing.

The processor might also be asynchronously designed, which will alsoresult in the duration of any procedure performed by the processor beingdependent upon the level of supply voltage V_(DD).

In a further embodiment, the current source 10 may include, in additionto bi-level current source 12, a second current source 13 which isadapted to deliver a pseudo-noise current component I_(N) to the currentsupply. The noise current I_(N) varies on a random or pseudo-randombasis. The second current source 13 may be operated in a number ofdifferent ways.

When I_(N) is controlled by a pseudo-noise generator it will hide thetrigger points that are necessary in a differential power analysisattack in order to provide a reference point on the time axis, to alignmultiple traces for averaging. The pseudo-noise generator thereforemakes triggering of suitable analysis equipment (eg. a digital samplingoscilloscope) even more difficult.

If the clock of the pseudo-noise generator 13 has a fixed frequency,then analysis of power traces by adding a number of power traces willfilter out the noise. However, the bigger the amplitude of the noisecurrent I_(N), the more traces are needed to remove the noise and thegreater the blurring of target patterns and spikes in the power traces.Therefore, the noise current I_(N) is preferably a significantproportion of the bi-level current I_(CC).

Preferably, the peak value of the pseudo-noise current I_(N) is smallerthan the bi-level current I_(CC) supplied by the first current source12. In a preferred arrangement, the peak noise current I_(N) liesapproximately in the range 5 to 10% of the bi-level current I_(CC)supplied by the first current source 12.

In a preferred arrangement, the pseudo-noise generator 13 is initialisedfor each instruction sequence of the processor 11. If the pseudo-noisegenerator is initialised for each instruction sequence of the processor,then the noise pattern will be the same in each power trace for thatinstruction sequence. Thus, when adding the power traces to try toremove noise, the noise pattern will be enhanced rather than averagedout. In this case, the differential power analyst must first determinethe noise pattern and subtract it from each power trace before addingthe power traces together. Every mismatch between the true noise patternand the deduced pattern that is subtracted will then add togetherresulting in spurious spikes in the averaged trace. These spikes maysuccessfully hide the true data spikes that the analyst is seeking.

In a further arrangement, the pseudo-noise generator 13 is clocked bythe same clock as the processor 11, and the noise generator isinitialised for each instruction sequence of the processor. In this way,the noise is substantially repeated. Adding a number of power tracestogether will result in a substantially constant noise signal. Someparts of the noise traces will add together and other parts will becancelled out. Adding more traces or subtracting traces will not beeffective at removing the noise component.

With reference to FIG. 2, the regulation of the current source I_(CC)will now be described.

In the preferred arrangement, the regulation of the current source 10 isperformed automatically such that the average current I_(CC) (+I_(N) ifa noise current generator 13 is included) supplied by the currentgenerator 10 will match the average current demand of the processor 11.

The current regulator adapts the operation of the current supply whenthe average current demand I_(DD) of the processor varies over time.

The supply voltage V_(DD) is permitted to vary between an upper voltagelevel and a lower voltage level which are within the operatingspecification of the processor, such that the processor can beguaranteed to operate correctly. The current generator 10 must varycurrent level such that at the higher current level, the processorsupply voltage V_(DD) tends to rise, and such that at the lower currentlevel the processor supply voltage V_(DD) tends to fall. The upper levelof V_(DD) could be fixed by a zener diode D (FIG. 1) to prevent damageto the processor.

In the preferred arrangement of FIG. 2, a current switch control circuit20 is operative to switch the current source 12 between a first, highercurrent level and a second, lower current level. The first current levelis sufficient to cause the voltage V_(DD) to rise under normal operationof the processor 11. The second current level is sufficient to cause thevoltage V_(DD) to fall under normal operation of the processor 11.

A threshold detection circuit 23 monitors V_(DD) and detects a rise (orfall) of V_(DD) to the upper (or lower) threshold levels. Upon reachingthe higher threshold voltage level, the current switch control circuit20 switches the current supply I_(CC) to its second (lower) currentlevel. Upon V_(DD) reaching the lower threshold voltage level, thecurrent switch control circuit 20 switches the current supply 10 back toits first (higher) current level.

In a preferred arrangement, a timer circuit 22 is provided which isstarted when the upper threshold voltage is detected. The timer circuit22 then determines the time period t for the processor supply voltageV_(DD) to reach the lower threshold voltage. The operation of this timercircuit 22 is illustrated graphically in FIG. 3.

The timer circuit 22 determines whether the time period t falls within apermissible window t_(max) to t_(min). If the time period lies betweent_(max) and t_(min) (example t₂), no action is taken. If the time periodis less than t_(min) (example t₁), this is communicated to a currentlevel setting circuit 21 which operates to increase the second (lower)current level. If the time period is greater than t_(max) (example t₃),this is communicated to the current level setting circuit 21 whichoperates to decrease the second (lower) current level. Preferably, theadjustments to the current levels are made incrementally. The systemwill always move towards an operation condition in which the downwardpath of the saw tooth wave pattern of V_(DD) has a period betweent_(max) and t_(min).

A similar control arrangement may be applied, mutatis mutandis, to thefirst (upper) current level using the timing of the upward path of thesaw tooth wave.

In this way, the periodicity of the voltage level V_(DD) may bemaintained within predetermined bounds and the current source iscontrolled so as to vary the voltage output V_(DD) to the processorindependently of the instantaneous power demand of the processor.

If the current demand of the processor increases significantly, it ispossible that the first (upper) level current is insufficient toincrease V_(DD). If this occurs, an override circuit 24 may come intooperation to override the normal operation of the current level settingcircuit 21 and/or current switch control circuit 20.

For example, override circuit 24 may detect that V_(DD) remains belowthe lower voltage level for a predetermined time. If this occurs, theoverride circuit 24 may trigger the current level setting circuit 21 toset the highest possible current level. It may also be configured toprevent the current switch control circuit 20 from further switching orvary the switching period until V_(DD) has recovered.

Alternatively, override circuit 24 may sense a non-rising V_(DD) duringa first (upper) level current phase and perform a similar action.

If the current demand of the processor decreases significantly, it ispossible that the second (lower) level current is too high to decreaseV_(DD). If this occurs, the override circuit 24 may come into operationto override the normal operation of the current level setting circuit 21and/or current switch control circuit 20.

For example, override circuit 24 may detect that V_(DD) remains abovethe higher voltage level for a predetermined time. If this occurs, theoverride circuit 24 may trigger the current level setting circuit 21 toset the lowest possible current level. It might also prevent the currentswitch control circuit 20 from further switching or vary the switchingperiod until V_(DD) has recovered.

Alternatively, override circuit 24 may sense a non-falling V_(DD) duringa second (lower) level current phase and perform a similar action.

In an alternative embodiment, a fixed first (higher) current level maybe used and only the second (lower) current level varied. In a stillfurther embodiment, a fixed second (lower) current level may be used andonly the first (upper) current level varied. The second (lower) currentlevel may be as low as zero.

The zener diode D may be used to clamp the voltage and consume anysurplus current. For low supply voltages of, for example 1.8 V, it maybe difficult to obtain a good zener diode. In such a case, the zenerdiode D could be replaced with another voltage clamping arrangement, forexample a voltage comparator and transistor.

In a general sense, it will be noted that the effect of the circuitsdescribed above is to cyclically apportion current that is drawn from anexternal supply rail V_(CC) between a processor 11 and a charge storagecircuit 10 in such a manner the current drawn from the external supplyV_(CC) varies independently of the instantaneous power demand of theprocessor. The control circuitry ensures, however, that theinstantaneous and average power demands of the processor are always met.

The decoupling capacitor C filters out most of the high frequencyvariations in current supply I_(CC). The bi-level constant currentsource 12 producing I_(CC) also decreases any high frequency variationin the external supply current drawn from supply rail V_(CC) as a resultof critical data switching operations within the processor 11. Thecapacitor C also suppresses voltage spikes on the supply voltage thatmay temporarily shut off the current source, because the capacitormaintains current supply to the processor 11. This also applies tovoltage spikes that are induced by an attacker to influence theprocessor's activity. This may include spikes that are purposefullytimed by an attacker so as to prevent a critical operation of theprocessor being performed and thereby cause leakage of usefulinformation.

Broader spikes or interruptions in the power supply V_(CC), for whichthe capacitor C is unable to sustain power to the processor 11 areconventionally dealt with by appropriate processor reset circuitry (notshown).

For additional security, the internal oscillator of the processor 11should be made immune from influence by external factors, such asvarying the voltage supply V_(CC). Supply voltage variations outsidecertain predefined limits preferably will initiate processor or systemreset using control circuitry known in the art.

The repeating changes in the current source 12 output current I_(CC)makes triggering in a differential power analysis attack difficult. Inaddition, the varying speed of the processor 11 resulting from the sawtooth supply voltage V_(DD) means that power traces will not correctlyalign with one another, in that the time base will be varying from traceto trace.

The invention has been described with reference to an embodiment inwhich the current source 10 includes a bi-level constant current source12, which results in a saw tooth supply voltage V_(CC). It will beunderstood that the principles of the invention can also be effectedusing a current source 10 adapted to switch between multiple discretelevels, which would result in a supply voltage V_(DD) that has a verymuch more complex profile.

Similarly, the current source 10 may be adapted to vary output currentcontinuously between two predetermined levels providing that acontinuously varying voltage V_(DD) is achieved. The function of thecyclically varying output of the current source 12 is to ensure that theprocessor supply voltage V_(DD) varies over time as a function of someparameter which is not linked to instantaneous power demand of theprocessor.

It will be understood that for security against power analysis attackson the processor 11, it is important that the voltage node V_(DD) is notaccessible to an external probe. Therefore, the processor 11, capacitorC (or other charge storage device), and current source 10 are preferablyintegrated onto a single integrated circuit (or formed as separatedevices within a single sealed device package) for which there is noindication (direct or indirect) of the voltage V_(DD) provided at any ofthe output pins of the package.

Other embodiments are intentionally within the scope of the appendedclaims.

1. A data processing device including: a processor; a charge storagedevice coupled to the processor; a current source for supplying theprocessor with substantially constant operating current at a levelswitchable among multiple nonzero current levels, and adapted to switchthe level of the output operating current independently of aninstantaneous power demand of the processor by switching, on at leastone of a periodic and an aperiodic basis, among the multiple nonzerocurrent levels.
 2. The device of claim 1 wherein the charge storagedevice comprises a capacitor in series with the current source, andacross which the processor is connected in parallel.
 3. The device ofclaim 1 wherein the current source is adapted to switch between twodifferent nonzero current levels.
 4. The device of claim 3 wherein thecurrent source is adapted to determine the interval between switchingcurrent levels based on an average power demand of the processor.
 5. Thedevice of claim 1 wherein the current source further comprises: a secondcurrent source adapted to provide a noise current, superposed on thesubstantially constant current, that varies on at least one from among arandom and pseudo-random basis.
 6. The device of claim 1 furtherincluding a control means for controlling the current source to maintainthe supply voltage to the processor between an upper voltage limit and alower voltage limit.
 7. The device of claim 1 further including a zenerdiode connected to the processor to maintain the supply voltage to theprocessor between an upper voltage limit and a lower voltage limit. 8.The device of claim 6 wherein the control means includes a currentswitching means for switching the current source between a first, highercurrent level and a second, lower current level, the current levelswitching being triggered by the supply voltage to the processorrespectively reaching the lower voltage limit and the upper voltagelimit.
 9. The device of claim 8 further including a timer fordetermining a time period taken for the processor supply voltage toreach a lower voltage limit from an upper voltage limit, or vice versa.10. The device of claim 9 wherein the timer determines whether the timeperiod falls outside predetermined limits, and further including currentsetting means for varying at least one from among the first currentlevel and the second current level of the current source if the timerdetermines that the time period falls outside the predetermined limits.11. The device of claim 10 wherein the predetermined limits include afirst predetermined threshold, and wherein the current setting meansraises the first current level if the timer determines that the timeperiod for reaching the lower voltage limit falls below the firstpredetermined threshold.
 12. The device of claim 10 wherein thepredetermined limits include a second predetermined threshold, andwherein the current setting means reduces the first current level if thetimer determines that the time period for reaching the lower voltagelimit exceeds the second predetermined level.
 13. The device of claim 10wherein the predetermined limits include a first predeterminedthreshold, and wherein the current setting means reduces the secondcurrent level if the timer determines that the time period for reachingthe upper voltage limit exceeds the first predetermined level.
 14. Thedevice of claim 10 wherein the predetermined limits include a secondpredetermined threshold, and wherein the current setting means raisesthe second current level if the timer determines that the time periodfor reaching the upper voltage limit exceeds the second predeterminedlevel.
 15. The device of claim 8 wherein the control means includesmeans for temporarily inhibiting the current switching means if thesupply voltage to the processor fails to move towards the upper voltagelimit or the lower voltage limit.
 16. The device of claim 1 wherein theprocessor has an internal clock having a frequency that is dependentupon the supply voltage to the processor.
 17. The device of claim 1wherein the processor is a cryptographic processor.
 18. The device ofclaim 1 further comprising a smart card supporting the processor, thecharge storage device, and the current source.
 19. A method of operatinga data processing device having a processor and a charge storage deviceconnected to the processor, comprising: drawing a substantially constantcurrent from an external power supply at a level switchable amongmultiple nonzero levels; and cyclically apportioning the substantiallyconstant current flow from the current source between a charge storagedevice and the processor, wherein the step of cyclically apportioningthe substantially constant current flow switches the drawn current levelbetween the multiple different nonzero substantially constant currentlevels at one from among a periodic and aperiodic basis, the switchingbeing such that the drawn current varies independently of theinstantaneous power demand of the processor.
 20. The method of claim 19wherein the step of cyclically apportioning a current flow to theprocessor and the charge storage device switches the level of the drawncurrent, periodically or aperiodically, between two different nonzerosubstantially constant current levels.
 21. The method of claim 20wherein the step of cyclically apportioning a current flow includesdetermining the interval between switching according to an average powerdemand of the processor.
 22. The method of claim 19 wherein the step ofcyclically apportioning a substantially constant current flow utilizes afirst current source, and further including: utilizing a second currentsource to provide a superposed current that varies on a random orpseudorandom basis and delivering the combined current of the first andsecond current sources to the processor and the charge storage device.23. The method of any one of the claims 19, 20, 21, and 22 furtherincluding the step of maintaining a supply voltage to the processorbetween an upper voltage limit and a lower voltage limit.
 24. The methodof claim 23 wherein the step of cyclically apportioning a substantiallyconstant current flow switches the current level between a first, highercurrent level and a second, lower, current level, when the supplyvoltage to the processor respectively reaches the lower voltage limitand the higher voltage limit.
 25. The method of claim 24 wherein thestep of cyclically apportioning a substantially constant current flowfurther includes the steps of: determining a time period taken for theprocessor supply voltage to reach a lower voltage limit from an uppervoltage limit, or vice versa, and varying the first current level and/orthe second current level of the current if the time period falls outsidepredetermined limits.
 26. The method of claim 25 wherein said step ofvarying further includes raising the first current level if the timeperiod for reaching the lower voltage limit falls below a firstpredetermined threshold.
 27. The method of claim 25 wherein said step ofvarying further includes reducing the first current level if the timeperiod for reaching the lower voltage limit exceeds a secondpredetermined threshold.
 28. The method of claim 25 wherein said step ofvarying further includes reducing the second current level of the timeperiod for reaching the upper voltage limit falls below a firstpredetermined threshold.
 29. The method of claim 25 wherein said step ofvarying further includes raising the second current level if the timeperiod for reaching the upper voltage limit exceeds a secondpredetermined threshold.
 30. The method of claim 24 further includingthe step of temporarily inhibiting the current switching if the supplyvoltage to the processor fails to move towards the upper voltage limitor the lower voltage limit.
 31. The method of claim 19 further includingthe step of controlling the frequency of operation of the processor as afunction of the supply voltage to the processor.
 32. The method of claim26 wherein said step of varying further includes reducing the firstcurrent level if the time period for reaching the lower voltage limitexceeds a second predetermined threshold.